DNS and multiple tree forests

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Last couple of days I've been configuring a forest with two trees (domain1.local and domain2.local as the respective DNS names for the two root domains) in VMware in order to practice setting up trusts.

I have currently got the two root domains in place with domain controllers working quite happily as DNS servers for each respective tree.

I then created a child domain in the first tree called child1.domain1.local and this worked fine with the child domain folder added to the DNS zone for domain1.local.

I then went to create a child domain in the second tree (child1.domain2.local) but this time the Active Directory install wizard stalled at the point where it shows "Examining an existing Active Directory Forest" or very similar and then displays the error message that it cannot connect to the PDC emulator which is the domain controller in the first tree.

Now PDC Emulators are domain level operations masters so I'm confused about why the AD wizard is trying to connect to the PDC emulator in the other root domain when presumably the domain controller in the root domain of the second tree will also be functioning as a PDC emulator.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hmm, can't see where you went wrong here. I'm working with a similar setup in VPC during courses and don't have any problems. Did you check the addresses of the DNS server in the DC for the child domain?

 

Are your domains on different subnets?

 

No I've deliberately kept all the domains in the same subnet of 192.168.1.x/24. At the moment:-

Domain 1 DC1 - 192.168.1.1

 

Oops that one uploaded before I intended...

Domain 1 DC1 = 192.168.1.1
DC2 = 192.168.1.2

Child 1 DC1 = 192.168.1.10


Domain 2 DC1 = 192.168.1.100

I can ping and host from any host so networking is configured right.

I've also got the Parent and child trust established between Dom1 and Child1 and the tree-root trust between Dom1 and Dom2.

Like I said everything was going sweet until I tried to create the child domain in the second tree.

I take it I am right in thinking that the DC in each root domain will act as the authoritative DNS server for its respective tree. So when configuring the IP settings for the server which will be my DC for the child 2 domain, I should use the IP address of DC1 in domain2 as the preferred DNS server?

 

I don't think the network itself would be a problem, but it could complicate things.

You have two trees, so you have two different parent domains. Every tree should have its own DNS server. In DNS the client (or child) will find the domain controller using the service records. If you have only 1 DNS server, every child will use the same service record and therefor the same domain controller. For the second tree however this is not the correct choice. It should find its own DC. You could solve this by having a second zone in DNS.

 

philbenson,

Do you have a Forest Domain Controller?

 

Ok, started from afresh last night and this is how things went.

First DC in first domain of first tree (192.168.1.1) - no problem.
First DC in first domain of second tree (192.168.1.31 - no problem
Tree-root trust between root domains - no problem
First DC in child domain of second tree (192.168.1.41) - AD wizard stalls
First DC in child domain of first tree (192.168.1.21) - no problem
Parent and child tust between domains in first tree - no problem.

So now I have two trees - one with a parent and child domain, and the other tree with just the root domain. What I want to do is create a child domain in the second tree and then establish a short-cut trust between both child domains.

The AD wizard stalls saying that a connection cannot be established with the domain naming master which is the DC in the root domain of the first tree (obviously). Now this is a forest level operations master and since the tree root trust is established, I can't figure out why there is a connection problem here. When installing AD, I can see both root domains listed when selecting a user account to install AD.

Needless to say whenever a new domain is added to an existing forest, the domain naming master needs to be contacted to confirm that the chosen domain name is unique.

Both DCs in each root domain are also DNS servers for their own tree. So the DC in the child domain of the second tree will use the DC in the second tree root domain as its DNS server.

All I want to do is to be able to create the child domain in the second tree!!

 

philbenson,

I'm not exactly sure about AD in a Windows Server 2003 environment but for Windows Server 2000, you have to create the Forest Root Domain Controller first, then create a child Tree Root Domain Controller from the Forest Root DC, then create a child Domain Domain Controller off the recently created Tree Root DC. In other words, it's a top down process.

 

That is what he did if I read correctly. Interresting problem.

 

So in other words the first DC you create in the first root domain of the forest becomes the Forest Root Domain Controller. Makes sense. I am doing the right thing - just in the wrong order.

I need to create the root and child domains of the first tree followed by the root and child domains of the second tree in that order. That right?

 

philbenson,

Actually from what I recall of AD v1.0, the heirarchy is as follows:

1. Root
2. Forest
3. Tree
4. Domain

So the first Domain Controller you create will be the Root Domain Controller. So to make this graphical somewhat, here goes.

1. Root Domain Controller

Then, under the Root Domain Controller, you create a Forest Domain Controller.

1. Root Domain Controller
   1. Forest Domain Controller

Then, under the Forest Domain Controller, you create a Tree Domain Controller.

1. Root Domain Controller
   1. Forest Domain Controller
      1. Tree Domain Controller

Then, under the Tree Domain Controller, you create a Domain Controller.

1. Root Domain Controller
   1. Forest Domain Controller
      1. Tree Domain Controller
         1. Domain Controller

So in your case, you want to create a single Forest with two Trees, with each Tree having a child domain. In that case, it's:

1. Create the Root Domain Controller.
2. Create the Forest Domain Controller.
3. Create the First Tree Domain Controller.
4. Create the Second Tree Domain Controller.
5. Create the First Child Domain Controller of First Tree Domain Controller.
6. Create the First Child Domain Controller of Second Tree Domain Controller.

Let's give these things names:

1. Root = Carrot
2. Forest = Sherwood
3. First Tree = Oak
4. First Tree Child Domain = Acorn
5. Second Tree = Palm
6. Second Tree Child Domain = Coconut

That should result in:

1. Carrot Root Domain Controller
   1. Sherwood Forest Domain Controller
      1. Oak Tree Domain Controller
         1. Acorn Domain Controller
      2. Palm Tree Domain Controller
         1. Coconut Domain Controller

Does this help clarify things? If not, feel free to ask some more questions.

 

I think your recallection is a bit shaken.
The first domain controller you install will ask you some questions. I will ask you if this domain controller is the first one for the domain, tree and forrest. In the forrest domain controller you need the schema. How would you be able to create the forrest domaincontroller as the second machine?

 

Tinus1959,

As I mentioned, my knowledge is based on AD v1.0, aka Windows 2000. So maybe things have changed for Windows 2003.

 

Nope. But maybe you could post a link to where you found this info?

 

Tinus1959,

Most of this is recollection from a Windows 2000 Server course I took at a community college back in 2001. I was trying to understand this Active Directory thing since it was different than the Windows NT 4.0 domain structure. For a single organization migrating from Windows NT 4.0 to Windows 2000, I understand that you create a Windows 2000 Domain Controller in mixed mode, then you migrate your resources from the Windows NT 4.0 domain structure into the Windows 2000 Active Directory structure, then flip the switch from mixed mode to native mode. But I asked my instructor what do you do for two organizations merging. For an example, the question of two corporations merging, like for example the Daimler-Benz Corporation and Chrysler Corporation merger. The way he explained it is that for Windows 2000 Active Directory v1.0, it is a top down architecture. That's why you'd need to first create the root Domain Controller who's only purpose is to be the top Domain Controller. Then create the child Forests from that Root Domain Controller. For example, create the Daimler-Benz Corporation Forest and the Chrysler Corporation Forest. Then from the Forest Domain Controller, create a child Tree. Then you fill out say the Chrysler Corporation Forest with the Chrysler Tree, Jeep Tree, and Plymouth Tree. If there's any migrations from Windows NT 4.0 that needed to be done, then that was done at the echelon where a new Domain Controller was created. Then, after creating the Root, Forest, Tree, and any child domains of the Trees, flip the switch from mixed mode to native mode then you're set.

Here's something from Microsoft about Active Directory architecture.

Source:

1. Microsoft TechNet - Windows 2000 Server - Active Directory Architecture - http://technet.microsoft.com/en-us/library/bb727030.aspx

 

Well, I believe your instructor did not understand AD than, or you misunderstood what he told you. No problem there, happens to me all the time. When I read the article I find no clues on your statement that the forest root would be the second domain controller.
Let me explain:
The thing all domain controllers in a forest have in common is the schema. That schema is created when your first domain controller is set up. Before this domain controller there is nothing. The first domain controller is the base of everything. It is the root for the forest. It is the root of the first tree and at the same time the root of that very domain. Every next domain controller shares the schema with this one. When you set up the second domain controller it asks you if you want to create a new (independent) forest or would like to join an existing forest. The next question is if you would like to start a new tree or would like to join an existing tree and the final question is if you want to start a new (child) domain or want to join an existing domain.

It is as simple as that.
In windows 2000 as far as I know merging two forests together was a hel of a job. You had to recreate the second forest under the first one. Most of the time the problem was solved with trusts.
Why was merging a problem? Well, you had two schemas and merging the two databases with sid given out and so turned out to be a problem. In 2003 merging two forest is still a tricky business.